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The Information Commissioner’s response to the Department of Work and 
Pensions’ consultation on the health and disability green paper 


About the ICO 


The Information Commissioner has responsibility for promoting and enforcing the 
UK General Data Protection Regulation (‘UK GDPR’), the Data Protection Act 2018 
(‘DPA’), the Freedom of Information Act 2000 (‘FOIA’), the Environmental 
Information Regulations 2004 (‘EIR’) and the Privacy and Electronic 
Communications Regulations 2003 (‘PECR’). She is independent from 
government and upholds information rights in the public interest, promoting 
openness by public bodies and data privacy for individuals. The Commissioner 
does this by providing guidance to individuals and organisations, solving 
problems where she can, and taking appropriate action where the law is broken. 


Introduction 


The Information Commissioner’s Office (ICO) welcomes the opportunity to 
respond to the Department for Work and Pensions (DWP) consultation on the 
Health and Disability Green Paper. The ICO acknowledges how data can be used 
in novel and innovative ways to improve the experience people have of the 
benefits system as well as supporting disabled people and people with health 
conditions to achieve their full potential. 


The ICO supports the processing of personal data necessary to achieve goals set 
out within the consultation, provided that it is carried out in manner that is 
compliant with data protection legislation. The individuals to whom the personal 
data relates are likely to be deemed vulnerable due to their disability/health 
condition and potentially their financial situation. As such, great care must be 
taken when processing their data to ensure it is done in a fair and transparent 
manner. The below response sets out data protection considerations to take into 
account when developing proposals, which will minimise the risk to potentially 
vulnerably data subjects and enhance trust and confidence in how their data is 
being used, particularly by public authorities. 


When considering the options to addressing some of the short-to medium-term 
issues in health and disability benefits, this response will focus on the areas of 
the consultation that fall within the ICO’s remit, including but not limited to, the 
gathering of medical evidence to enable health assessments and further 
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digitisation of various aspects of the benefit system, including the continued use 
of video assessments. Whatever form future proposals take, the ICO recognises 
it is likely that data sharing will be required. Data protection is not a barrier to 
this, but rather it provides a framework through which organisations can share 
personal data fairly, securely and proportionately. 


Special category data 


The ICO supports the processing of data to assist disabled people and those with 
health conditions. However, where use of such data includes personal data, any 
processing must comply with data protection legislation. Achieving the overall 
objectives of the Green Paper will necessitate the processing of data concerning 
claimants’ health, which the UK GDPR defines as special category data. Further 
protection is needed for this and any other special category data that will be 
processed as a result of the Green Paper due to its sensitive nature, as its use 
creates significant risks to data subjects’ fundamental rights and freedoms. 


In order to lawfully process special category data, in addition to determining a 
lawful basis under Article 6 of the UK GDPR, a separate condition for processing 
under Article 9 must be identified. Some of the 10 conditions under Article 9 
require controllers to meet additional conditions set out in Schedule 1 of the Data 
Protection Act 2018 (DPA 2018). Some of the conditions for processing under 
Schedule 1 also require an appropriate policy document to be in placet. 


Legislative consultation 


Section 214 of the consultation notes some of the longer-term amendments to 
future health assessments will require changes to legislation. Section 204 of the 
consultation also confirms legislation will be taken forward to alter the six-month 
rule with regards to terminally ill claimants. These appear to be the only sections 
of the consultation that make specific reference to changes in legislation; 
however, it is likely that further legislative changes will be necessary to progress 
proposals that result from the Green Paper. If any of the resulting legislative 
proposals relate to the processing of personal data then DWP will need to consult 
with the ICO during the formative stages of such initiatives. 


Article 36(4) of the UK GDPR requires government departments and relevant 


public sector organisations to formally consult with the ICO during the 
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preparation of policy proposals for statutory or legislative measures that relate to 
the processing of personal data. DCMS have provided guidance on the application 
of Article 36(4)?. 


Data Protection Impact Assessments (DPIA) 


It is very likely that some proposals that result from the green paper will require 
DWP to carry out a DPIA. Article 35 of the UK GDPR obligates controllers to 
undertake a DPIA where processing is likely to result in high risk to the rights 
and freedoms of individuals. A DPIA is a useful tool that controllers can, or in 
certain circumstances must use to identify and minimise data protection risks to 
data subjects. The ICO has produced guidance which details when controllers are 
legally required to undertake a DPIA and how they should be carried out?. 


Article 35(3) of the UK GDPR sets out three types of processing which always 
require a DPIA. Article 35(3)(b) requires organisations to undertake a DPIA if 
they plan to process special category data (or criminal offence data) on a large 
scale. Given the nature of the consultation, many of the proposals that result 
from the Green Paper will likely necessitate the processing of health data relating 
to a large number of claimants, and as such, will likely fall within scope of the 
aforementioned processing operation under Article 35(3)(b). In such instances a 
DPIA will need to be undertaken before any processing is carried out. 


There are also European guidelines* which list nine criteria of processing 
operations likely to result in high risk. Whilst this is no longer binding under UK 
law, it may still provide helpful guidance when considering what constitutes high 
risk. As required under Article 35(4), the ICO has also published a separate list of 
processing operations that require a DPIA, which complements and further 
specifies the criteria referred to in the European guidelines. Some of these 
operations require a DPIA automatically, and some only when occurring in 
combination with one of the other items within the ICO’s list, or with any of the 
European Guidance criterion. Even where proposals resulting from the Green 
Paper only involve one processing type from the Article 35(4) list that does not 
require an automatic DPIA, controllers should consider for themselves in their 
particular case whether this is sufficient to necessitate a DPIA, taking into 
account the nature, purpose, context and scope of the proposed processing. 


2 Guidance on the application of Article 36(4) of the General Data Protection Regulation (GDPR) 
3 Data protection impact assessments | ICO 
4 European guidelines on DPIAs and determining whether processing is likely to result in high risk 


Page 3 of 18 


1CO. 


Information Commissioner’s Office 


If high risk is identified via a DPIA, and it cannot be sufficiently mitigated, the 
controller is legally required to consult with the ICO under Article 36(1) of the UK 
GDPR prior to the high risk element(s) of the processing being carried out. The 
ICO will give written advice within 8 weeks, or 14 weeks in complex cases. 


Proposals for future health assessments and data minimisation 


The ICO recognises the desire to gather better quality evidence at an earlier 
stage in the decision making process to support WCA and PIP assessments, as 
expressed by disabled people and people with health conditions, amongst other 
stakeholders, in section 191 of the consultation. 


Chapter 4 of the consultation looks at the potential for making longer term 
changes to future health assessments to support better outcomes for claimants. 
Sections 240-245 of the consultation looks at the role that medical evidence 
plays in health assessments and enquires what type of evidence would be most 
useful for making decisions following a WCA or PIP assessment. 


It is not the ICO’s place to dictate what medical evidence DWP should be 
gathering to support assessments. As the controller, DWP is best placed to 
determine this. However, there are a number of data protection considerations to 
take into account when determining what evidence to collect; in particular, data 
minimisation. 


The data minimisation principle under Article 5(1)(c) of the UK GDPR requires 
that any data being gathered and subsequently processed must be adequate, 
relevant and limited to what is necessary in relation to the purpose for which 
they are processed. This is a key consideration to take note of when 
contemplating what medical evidence to gather for the purpose of supporting 
health assessments and ultimately progressing claims. 


This section of the consultation also enquires if there is any way to standardise 
the evidence gathering process. Data minimisation requires that the personal 
data must be limited to what is necessary in relation to the purpose for which it 
is being processed. If, for example, DWP is considering standardising this process 
by requesting the same medical evidence in all cases, then the department would 
need to identify the bare minimum amounts of data needed to support 
assessments and progress claims in all cases. The ICO recognises that each 
claimant’s situation is unique to them and it may not be possible to identify the 
standard minimum categories of data sufficient to progress claims in all cases. As 
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such, DWP may wish to consider gathering this baseline minimum data in the 
first instance and then providing individuals with the option to provide 
supplementary information if they wish. This means a standardised approach 
could be applied to all cases in terms of the minimum baseline data needed to 
progress claims, but a case-by-case approach could then be applied to cases that 
require further information. The consultation does not seem to distinguish 
between the medical evidence the claimant has to provide and the information 
DWP wish to seek from other sources, such as medical practitioners. DWP should 
provide clarity and follow up on further information it requires, rather than 
applying a blanket approach for requesting large amounts of data from several 
sources. 


Sections 242 and 243 of the consultation highlight that a fit note is the most 
common form of evidence used by people receiving UC or ESA. A fit note may 
just clarify if a claimant is or is not fit for work but the request for medical 
evidence, from GPs for example, will likely result in the provision of special 
category data. Given the sensitivity of such data, it is important to ensure its 
processing is necessary if taking a standardised approach to gathering data. 


As well as being limited to what is necessary, another key aspect of Article 
5(1)(c) is that data must be relevant to the purpose for which it is being 
processed. As highlighted in section 218 of the consultation, feedback during 
Green Paper events suggested some claimants felt assessments often covered 
things that were not relevant to a person’s condition or circumstances. The ICO 
recognises it may be difficult to assess relevance early on during the benefit 
process as the DWP may not know what requested information is relevant until 
they assess the case and understand the individual circumstances of each claim. 
However, the department must at least be able to demonstrate why such 
requested data is likely to be relevant to a particular claim. 


The consultation explicitly asks how DWP can make sure that the evidence 
collected before a WCA or PIP assessment is relevant to a person’s ability to do 
certain things. Again, it would not be appropriate for the ICO to comment on 
what data is and is not relevant, and the controller would be best placed to 
determine this. However, when assessing relevance the controller must consider 
the rationale behind linking the data to the purpose for which it will be 
processed. In particular, the controller should consider if past conditions, such as 
a claimant’s broken leg when their current claim relates to mental health issues, 
are relevant to a current claim. Even current conditions or medication may not be 
relevant, such as details of contraception. 
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When making changes to the health assessment process, particularly where such 
changes involve greater data sharing, DWP should consider the impact on GPs 
and other areas of the health sector who may take issue with the new process 
unless it translates well across a range of different systems, such as the ones 
used in the NHS. 


These data minimisation considerations may also apply to several other parts of 
the consultation. For example, sections 234-239 enquire what changes should be 
made to the PIP and WCA descriptors that make up the assessment criteria. 
When linked to data subjects, these descriptors will likely constitute personal 
data. When linked to individuals, DWP will need to consider if the potential 
descriptors are adequate, relevant and limited to what is necessary to carry out 
assessments. 


The ICO note that many claimants feel the current process is prolonged and 
stressful. The ICO recognises DWP’s desire to rectify this by altering the current 
health assessment system to a more strategic, streamlined and simplified 
process. Data protection does not present a barrier to achieving this. When 
developing a standardised approach DWP may wish to map out the different 
avenues through which they receive evidence, including GPs and the claimants 
themselves, to identify ways to make the processing more efficient. 


Transparency information 


Transparency is a legal requirement under Article 5(1)(a) of the UK GDPR and a 
key component of fairness. As well as asking what medical evidence the DWP 
should request to support health assessments, the consultation enquires if 
evidence should be sought from other sources such as healthcare professionals 
and support organisations. It is not the ICO’s place to comment on this as it is a 
matter of policy for DWP. However, when DWP determine what evidence to seek 
and from whom, in addition to ensuring data minimisation, clear and 
comprehensive information on how personal data will be processed, known as 
privacy information, must be provided to data subjects in order to meet 
transparency obligations. 


Section 223 details a set of objectives for assessment reform which includes 
building trust through transparency and consistency. Complying with 
transparency obligations under data protection legislation is an important aspect 
of engendering public trust and confidence in how data is being processed, 
particularly if it relates to people with disabilities or health conditions. 
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The provision of privacy information is also a right under Articles 13 and 14 of 
the UK GDPR, known as the right to be informed. The privacy information that 
must be provided will vary depending on whether it is being obtained directly 
from the claimant or from other sources, such as healthcare professionals. The 
ICO has produced further guidance on the right to be informed, including a 
summary of the privacy information controllers must provide”. 


It is likely that DWP’s existing privacy information will eventually need to be 
updated to take account of proposals and future processing that results from the 
Green Paper. To take the redesign of the assessment process as an example, it 
seems likely that the privacy information will need revising to reflect the 
additional categories of personal data that may eventually be requested in terms 
of medical evidence, as well as the source of such personal data (unless sourced 
from the data subject themselves) whether from healthcare professionals, 
support organisations or other parties. It is vital that DWP is transparent with the 
claimant in this regard. DWP may also wish to be clear where it would not seek 
further medical information from other sources such as healthcare professionals, 
particularly where claimants are likely to be under the impression that the 
department would. 


Under both Article 13 and 14, organisations are required to specify the recipients 
or categories of recipients of personal data, meaning any controllers from whom 
DWP source medical evidence from will need to update their own privacy 
information to take account of such disclosures. 


It is often effective to provide privacy information using a variety of different 
techniques. These include dashboards, layering and just-in-time notices. More 
information on this as well as other aspects of the right to be informed can be 
found in the ICO’s detailed guidance®. 


In general, DWP may wish to be more transparent with claimants in the first 
instance regarding the process by which a health assessment decision is made 
and what data the decision is based on. This may reduce the volume of queries 
or individual right requests DWP receives following assessment decisions. 
Controllership and data processing arrangements 


> Right to be informed | ICO 
€ The right to be informed | ICO 
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As noted in the above section, the consultation has sought feedback on the 
possibility of seeking further medical evidence from other sources such as health 
professionals and support organisations. At this early stage, it is not clear what 
the relationship between DWP and these other organisations would be in relation 
to the use of such data to support assessments and progress claims. 


Other parts of the consultation allude to the possibility of further data processing 
arrangements between DWP and other bodies. For example, section 44 notes 
following Green Paper event feedback that the support DWP offer could be better 
joined up externally with services offered by other government departments and 
agencies, the NHS, local authorities and charities. If attempts are made to better 
join up these services, this would presumably involve the sharing of data 
between different bodies. 


When entering into future data processing or data sharing arrangements that 
result from the Green Paper, DWP must clearly establish their relationship with 
the other organisation(s) involved from the outset and ensure clarity of 
controller, joint controller and processor roles and responsibilities as required by 
Article 24-29 of the UK GDPR?’. 


If the above or other future proposals require DWP to enter into joint 
controllership with other bodies, a transparent arrangement must be put in place 
in accordance with Article 26 of the UK GDPR. Data sharing agreements (DSA) 
can be used to help controllers put such arrangements in place. When sharing 
data as a separate controller it is good practice to set up a DSA with other 
controllers involved, as recommended by the ICO’s Data Sharing Code of 
Practice®. A DSA should clearly set out the various roles and responsibilities of 
each party, such as clearly outlining what each party should do in the event of an 
individual rights request under the UK GDPR. Whether a joint or separate 
controller, in addition to the right to be informed, DWP must consider the 
claimant’s other data rights under Articles 12-22 of the UK GDPR and how to 
facilitate them. 


If DWP enter into controller-processor relationships both parties must establish a 
written contract that meets the minimum standards as set out under Article 28 of 
the UK GDPR?, or update existing contracts to take account of any new 
arrangements that result from the Green Paper. 


7 Controllers and processors | ICO 
8 Data sharing: a code of practice | ICO 
? Contracts | ICO 
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Data minimisation and storage limitation 


Chapter 3 of the consultation looks at making improvements to the current 
service. Parts of this chapter appear to propose processing less data than under 
the current system. For example, sections 179-184 propose reducing the number 
of repeat assessments disabled people must go through where a person’s 
condition is unlikely to change. This would be likely to reduce the processing of 
data relating to those individuals. If the same objective of progressing claims can 
be achieved by processing less data, this would appear to align with the data 
minimisation principle, as data must be limited to what is necessary for the 
stated purpose. However, data minimisation also requires that data be 
‘adequate’, meaning the controller must be satisfied that the data they have 
processed from previous assessments up to this point is sufficient to fulfil the 
stated purpose. Consideration of these two aspects of the data minimisation 
principle should be carefully balanced to ensure processing is fair and 
proportionate to the claimant. 


Similar considerations should be taken into account when deciding whether to 
gather less data from people in the Severe Disability Group (SDG). As part of a 
simplified process, section 207 proposes that people within the SDG will no 
longer need to complete a detailed application form or go through an 
assessment. Similar considerations should also be given regarding the proposal 
to make decisions in straightforward cases without the need for an assessment 
with, and recommendation from, a healthcare professional, as noted in section 
173. 


Section 181 notes that repeat assessments on ESA/UC have stopped entirely for 
people with the most severe and lifelong conditions that are not likely to change. 
If so, consideration should be given to the retention of personal data relating to 
such individuals. The storage limitation principle under Article 5(1)(e) of the UK 
GDPR specifies that data must not be held for longer than is necessary in relation 
to the purpose for which it is processed. If DWP is satisfied that the condition of 
certain individuals is not going to improve then the department should consider if 
it is still necessary to retain all their personal data that has been gleaned from 
previous assessments and other sources, as the purpose of processing such data 
was to assess their condition to determine benefit entitlement. Practically 
speaking, the ICO recognises that some data will need to be retained, such asa 
minimal record as to their status and information necessary to provide the 
individuals with benefit payments. 


Page 9 of 18 


1CO. 


Information Commissioner’s Office 


Any other use of personal data that results from this Green Paper will also be 
subject to the storage limitation principle, meaning it is important to update 
existing appropriate retention policies to reflect any subsequent processing, in 
particular, where this involves new categories of personal data. It is important 
that such retention policies are reviewed regularly, as appropriate, taking the 
context of processing into account?®. 


The retention of data for longer than necessary also has implications for the 
lawful basis under which data is processed. Most lawful bases under Article 6 of 
the UK GDPR require that processing is necessary for the specific purpose. As 
such, retaining data for longer than it is needed is likely to reduce or limit the 
valid lawful bases DWP can rely on to process data, including ‘public task’ and 
‘legitimate interests’. Holding on to data for too long also risks such data being 
used in error or becoming inaccurate, out of date, excessive or irrelevant in 
contravention of the accuracy and data minimisation principles. It is important to 
erase or anonymise unnecessary data in order to reduce such risks. 


Digitisation of services 


The consultation makes several references to either digitising aspects of the 
benefit system, or extending digitisation to services that are already online to 
some extent. This includes, but is not limited to, developing fully digital versions 
of the UC50 and PIP2 forms, along with the online New Style ESA claim service 
already introduced (section 82), making ‘Access to Work’ a fully digital service 
(section 110) and providing access to employment support digitally (section 
150). 


When digitising services it is important to ‘bake in’ data protection from the 
outset by adopting a ‘data protection by design and default’ approach. Please see 
the below ‘accountability’ section for more information. It is also important that 
data is stored, accessed and transmitted in a secure manner across the various 
online platforms. Security must be a key consideration throughout this process. 
The integrity and confidentiality principle under Article 5(1)(f) of the UK GDPR 
states that robust organisational and technical measure must be put in place to 
ensure the integrity of personal data when, for example, PIP2 forms are being 
automatically uploaded, stored and accessed on the online platform. Solutions 
DWP may wish to consider when protecting the security of data would include 
role-based access controls and privacy-enhancing technologies (PETs). The ICO 


10 Principle (e): Storage limitation | ICO 
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has produced guidance on security!! that may be of use when considering what 
other security measures to implement when digitising various services. 


At this stage the consultation does not provide much detail on how, or whether, 
customers will be able to express their preferred method of using the various 
services which are moving to online platforms. It is important to consider 
unintended consequences of greater data sharing through digitisation, such as 
making certain individuals or groups less likely to access a service, despite being 
entitled to the benefits offered. Online services may not be appropriate for all 
users, such as those who are not computer-literate or do not have regular access 
to digital devices or the internet, and steps must be taken to accommodate these 
individuals’ needs when migrating to online platforms. The ICO recognises this 
may have already been considered given the commitment to provide non-digital 
alternatives noted within the consultation. The ICO also recognises the holistic 
approaches that are being proposed such as offering alternatives for those that 
cannot access online forms, and offering employment support as part of a mixed 
offer combining digital and face-to-face options. The ICO recommends that such 
flexibility is also considered when digitising other aspects of DWP’s services. 
However, it is not clear from the consultation if individuals who would prefer to 
maintain non-digital methods, such as filling out and posting physical forms, will 
be able to raise this prior to the digitisation of services, or if they will have to 
opt-out after the fact. 


Section 170 of the consultation references plans to develop an integrated health 
assessment service that will bring assessments for UC, ESA and PIP into a single, 
digital system. The same security and accessibility considerations detailed above 
should be taken into account when developing the integrated service. This 
section goes on to explain that where people are willing to provide consent, the 
new system will enable DWP to share medical evidence more easily. It is 
important here to make a distinction between an individual providing their 
permission for DWP to share their data via the digital platform, and a controller 
relying on the Article 6(1)(a) consent lawful basis, under which to process that 
individual’s data online. It is only appropriate to rely on consent where the 
controller can offer individuals genuine choice and control over how their data is 
used, rather than giving them choice over whether they would prefer their data 
to be shared digitally. In other words, the consent must be freely given. 


Organisations, such as the DWP, who are in a position of power over individuals 
may struggle to show valid freely given consent. Recital 43 of the UK GDPR 


4 Security | ICO 
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states it is unlikely that consent will be freely given in all circumstances where 
there is a clear imbalance of power between the data subject and the controller. 
Claimants may be concerned that refusing consent may adversely impact the 
benefits they are receiving, and hence, feel compelled to consent. Public 
authorities such as the DWP should avoid relying on consent unless confident 
they can demonstrate it is freely given. 


The ICO supports the improvements and modernisation of its services through 
further digitisation, provided it is carried out in a secure manner that complies 
with data protection legislation. In particular, DWP may wish to consider how 
further digitisation could better facilitate data subjects in exercising their 
individual rights. 


ICO’s Regulatory Sandbox 


Sections 170-172 explain that the integrated health service referenced in the 
above section will be developed through DWP’s Health Transformation 
Programme (HTP). The integrated service will develop on a small scale to begin 
with in a small area called the Departmental Transformation Area (DTA). The first 
DTA location was launched in London on 21 April 2021. The consultation states 
that the full scale of what these areas can achieve is still developing. Those 
working on projects being developed by the HTP and/or DTA may be interested in 
the ICO’s Regulatory Sandbox. 


The ICO’s Regulatory Sandbox?? is a service that supports organisations creating 
products and services which utilise personal data in innovative and safe ways. 
The sandbox is a free service which provides organisations with access to ICO 
expertise and can increase confidence in the compliance of a finished product or 
service. The sandbox is currently open to take on new participants for 2021/22 
with a particular focus on innovations involving data sharing from central 
government departments, amongst other sectors, and the use of innovative 
technology?3. If the HTP and/or DTA are planning to develop innovative products 
or services that fall within this criteria, details on how to apply can be found on 
the ICO website**. 


Automated processing and children 


12 Regulatory Sandbox | ICO 
13 Our key areas of focus for the Regulatory Sandbox 2021-22 | ICO 
14 How can we apply to the Sandbox? | ICO 


Page 12 of 18 


1CO. 


Information Commissioner’s Office 


The consultation does not make any mention of automated processing, and it is 
unclear if any initiatives, products or services that will result from the Green 
Paper would involve solely automated processing as defined in Article 22 of the 
UK GDPR. If any processing results that does fall within the scope of Article 22, it 
is important to note that individuals have the right not to be subject to a decision 
based solely on automated processing, including profiling, which produces legal 
or similarly significant effects concerning the individual. Controllers can only 
proceed with such processing where one of the three exceptions set out in Article 
22(2) applies. DWP must be transparent with data subjects where such 
processing is carried out. In such instances the privacy information it provides 
must be updated accordingly to include details of the existence of automated 
decision-making, including profiling. 


Where third parties are contracted to process data on behalf of the department, 
and this involves automated decision-making, DWP should be confident it 
understands the processing involved and could identify any errors or inherent 
bias within the system. 


The ICO has produced detailed guidance on the data protection requirements 
when using solely automated processing?». 


DWP must also ensure particular care where any automated processing involves 
children. There is a brief part of the consultation between sections 198-201 which 
covers people moving between child and adult benefits. It gives the example of 
young people claiming Child DLA being invited to apply for PIP at the age of 16. 
It is important to note that the United Nations Convention on the Rights of the 
Child (UNCRC) defines a child as a person under the age of 18 years. Recital 71 
to the UK GDPR makes it clear that decisions based on solely automated 
processing, including profiling as described above, ‘should not concern a child’. 
Profiling is also mentioned in Recital 38 to the UK GDPR as an area in which 
children merit specific protection with regard to their personal data. As under 18s 
are considered children under the UNCRC, DWP should consider how the data of 
16 and 17 year olds can be protected. 


In general, and where applicable, DWP should be designing their processes with 
the needs of children in mind, with the principle of ‘the best interests of the 
child?® and the fairness principle under Article 5(1)(a) of the UK GDPR as key 
considerations. DWP would also need to ensure that privacy information provided 


15 Automated decision-making and profiling | ICO 
16 Convention on the Rights of the Child 
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to children is appropriately written so that they understand how the DWP use 
their data, and what data rights they have. 


Video assessments 


Section 172 notes that action is being taken by the HTP to test video 
assessments through the integrated health assessment service. We understand 
that during the pandemic DWP have had to introduce assessments by video call, 
and by telephone, as face-to-face assessments could not be carried out. 
However, as society returns to normality it is important to assess the data 
protection implications of further rolling out video assessments in a business as 
usual context. In particular, security will be a key consideration when carrying 
out video calls, as it will for telephone assessments, the latter of which DWP plan 
to evaluate as noted in section 175. 


Section 177 confirms that over 750 data subjects have already gone through a 
video assessment as part of a test and, subject to an evaluation, plans are being 
progressed to increase the number of video assessments as part of a pilot. DWP 
must consider proportionality when deciding to carry out such assessments. 


When determining if the use of video assessments is proportionate, DWP should 
consider if its purpose is sufficiently important to justify any privacy intrusion 
that results from the call. Data subjects may feel that having part of the interior 
of their home potentially on display to the assessor in the background much 
more intrusive than just speaking on the phone. This should be carefully 
balanced against the needs of claimants, for some of whom video assessments 
may be more appropriate than in-person or telephone assessments. It is also 
important to consider and mitigate against the possibility of some claimants 
feeling pressured into accepting video assessments despite reservations they 
may have around privacy intrusion, as they fear declining may adversely impact 
their claim. 


It is not clear from the consultation if video assessments will be recorded. 
Section 172 confirms DWP have started offering audio-recordings for telephone 
assessments and some face-to-face assessments to help improve trust in 
decisions. If video assessments will be recorded, consideration must be given to 
the storage limitation principle, as it should be for recordings of telephone and 
face-to-face assessments. If video calls will be recorded, the Department should 
consider if it is necessary to record the visual element of the assessment, and if 
just recording the audio would be sufficient. 
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Accuracy of data 


The ICO recognises the desire to increase the accuracy of decisions made on 
benefit entitlement as noted within section 10 of the consultation. Complying 
with the accuracy principle under Article 5(1)(d) of the UK GDPR, which requires 
that data remains accurate and up to date, is key to achieving this goal?’. This is 
particularly pertinent regarding the further digitisation of services as described 
above, where considerations relating to the accuracy of data being stored, 
transmitted and accessed on online platforms must be taken into account. In 
particular, regard needs to be given to the accuracy of data used to digitally 
verify claimants on these platforms. 


Feedback from Green Paper events suggests some claimants have concerns over 
the accuracy of data being recorded, particularly during health assessments. 
Section 160 notes that some felt assessment reports were not always accurate 
and could lead to poor decisions being made. Section 218 highlights claimants 
who felt their responses during assessments had not been accurately recorded 
and the process did not take into consideration how conditions can change over 
time. Such feedback highlights the importance of Article 5(1)(d), as decisions 
based on inaccurate or out of date data could have significant detrimental effects 
on individuals, such as adversely impacting their receipt of benefits or being 
unfairly sanctioned. As such, it is vital that steps are taken to ensure data is kept 
accurate and up to date, and to rectify or remove any inaccurate data without 
delay. Ensuring accuracy may also reduce the number of appeals and rectification 
requests DWP receives following an assessment decision. 


Accountability 


The accountability principle under Article 5(2) of the UK GDPR makes it clear that 
controllers are responsible for complying with the other data protection principles 
under Article 5(1), and they must also be able to demonstrate such compliance. 
For example, being able to demonstrate that the medical evidence being 
requested is limited to what is necessary to carry out a health assessment and 
progress a claim. Controllers need to put in place measures to meet the 
requirements of accountability, including carrying out DPIAs where there is high 
risk to data subjects as detailed earlier. We recommend DPIAs as good practice. 


17 Principle (d): Accuracy | ICO 
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Another measure the ICO would like to highlight is adopting a ‘data protection by 
design and default’ approach!® which will enable effective implementation of the 
principles and safeguarding of individual rights. This approach requires 
organisations to ‘bake in’ data protection into processing activities from the 
outset. Taking this approach will ensure that DWP consider privacy and data 
protection issues at the design phase of any system, service, product or process 
that results from the Green Paper, including the potential digitisation of services 
detailed above or the possibility of creating a single assessment process for a 
new single benefit as noted in section 299. These data protection considerations 
must then continue throughout the lifecycle of such systems, products or 
services. 


The consultation highlights the importance of building trust and confidence 
whether that be in the assessment process or the quality of decision making. 
Accountability is a vital to engendering public trust and confidence, and the ICO 
has published an accountability frameworkt°to aid organisations in demonstrating 
their compliance. 


Proposals and pilots with healthcare and other services 


As well as future systems, services, products or processes that may result from 
the green paper, the consultation also describes specific proposals or pilots, some 
of which have already commenced. When commencing or progressing such 
proposals, regard should be given to the data protection considerations described 
throughout this response. Specific proposals have been highlighted below, 
accompanied by particular data protection considerations that should be taken 
into account. 


Sections 126 and 127 describe the introduction of Health Model Offices which, 
amongst other aims, seek to improve links between jobcentres and health 
services by basing healthcare professionals in job centres and work coaches in 
GP surgeries. The data sharing between different organisations that is needed to 
carry out such initiatives will result in several data protection implications which 
need to be fully considered. In particular, it will be vital to clearly establish the 
relationship between these different organisations to clarify controller, joint 
controller and processor roles and responsibilities, and put in place any necessary 
arrangements or contracts as described earlier. Again, the ICO would advise 
taking a ‘data protection by design and default’ approach and providing adequate 


18 Data protection by design and default | ICO 
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privacy information regarding the initiative to ensure transparency. DWP should 
also consider whether potentially vulnerable individuals may feel obliged to 
participate in the initiative. 


Along similar lines, section 144 describes how the DWP are continuing to provide 
employment support in health settings and lists specific initiatives that have been 
carried out. The ICO acknowledges the potential benefits of such joined up 
services but the same data protection matters as described in the previous 
paragraph must be carefully considered. It also seems likely that future 
initiatives which combine work and health services would require a DPIA, as 
would the specific initiatives listed in section 144. A DPIA must be kept under 
review and updated as appropriate following significant changes to initiatives. 


Section 252 explores the possibility of using a Health Impact Record (HIR) which 
would enable people to record the impact of their condition throughout their 
claim via a method of ongoing self-assessment. This seems to be a significant 
proposal, and it appears to suggest the record will be held by the claimant, 
rather than the DWP or another body, but the DWP may wish to clarify this point. 
Again, it is vital that controller/processor arrangements are clearly established 
and a ‘data protection by design and default’ approach is taken from the outset 
as this proposal may raise several implications regarding the sharing of data 
between DWP and other bodies such as health professionals. Of particular 
importance will be ensuring adequate security of the data being logged in the 
HIR. DWP must also be satisfied that the data recorded by the data subject 
accurately reflects the ongoing condition of the claimant, though the ICO 
recognises that others, such as healthcare professionals, could potentially 
contribute to the HIR as well. Steps must be taken to ensure that data within the 
HIR is kept up to date and accurate, particularly where there is a change in the 
data subject’s condition. Inaccurate data must be corrected or removed without 
delay and the ICO has produced guidance on the right to rectification2° and 
erasure”, 


A further proposal which may also have significant implications, requiring further 
detailed considerations as described above and throughout the ICO’s response, is 
the development of the Access to Work Passport detailed in section 111 which 
will be continually updated to support disabled people moving into employment. 
Conclusion 


20 Right to rectification | ICO 
21 Right to erasure | ICO 
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The ICO is happy to provide further input on the matters raised above and 
welcomes further engagement from DWP on any proposals that result from this 
Green Paper. The ICO also look forward to receiving any Article 36(4) 
consultations that result from the proposed introduction of, and/or changes to, 
legislation. 


Information Commissioner’s Office 


2021/10/11 
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